SECTCP home | Easy400 | IBM i home
Public-Source
 
Introduction
FTP settings
Quick start
Securing FTP
WRK user profiles
WRK directories
WRK IP addresses
Active Defense
Logging
VLDL vs USRPRF
User exit pgm
TELNET settings
Access-Reject Messages
HTTP logs
 
Download
 
 

 
previous page page 4 out of 16 next page
FTP settings (3/7)
4. Work with directories

A second major control applied to FTP Server Exit Programs is the validation of the "directoty" (Directory) object of the client FTP request.

Every time an FTP request is received, the directory (directory) explicitly opr impliciylt mentioned in the request is checked versus a list of allowed directories.
If such directory is not found not in the list of allowed directories, the FTP request is rejected.

NOTE 1 - If the client IP address is detected as being a privileged one, directory checks do not take place and any directory is accepted.

There are two types of allowed directories:

  1. Public allowed directories
    Access to these directories is allowed to all the user profiles defined to SECTCP via Work with user profiles.
  2. Private allowed directories
    Access to these directories is allowed only to specified SECTCP-defined user profiles.
    Note - Each user profile allowed to access a given private directory can be assigned restrictions on its FTP operations on that directory (example: read-only (receive-only)) through SECTCP-defined data authorities *R, *W, *X.
    Detail information available in the help screens.

Option 4 (Work with allowed directories) from the "Secured Tcp" Menu (see Figure 2) allows to maintain the list of the allowed directories.

The menu for defining allowed directories looks as follow:

                                  Secured FTP                          EASY400  
                         Work with allowed directories                          
                                                                                
  Select one of the following and press Enter                                   
                                                                                
                                                                                
    1. Public allowed directories                                               
                                                                                
    2. Private allowed directories                                              
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
  Your selection ==>  _                                                          
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
  F3=Exit  F12=Previous  F22=Command entry                                      
                                                                                
                    
Figure 5 - Menu for defining allowed directories
Several screens are available to add and to remove public and private allowed directories. All screens feature help text.
  1. To make up a generic directory name, just enter its initial characters. For instance,
    /MMAIL/TEMP will allow access to any directory starting by the same characters, e.g. /mmail/temp/subdirx .
  2. Directory names imbedding asterisks or ending with an asterisk (e.g. /mmail/temp/sub*) do not work.
  3. To allow access to a library, use the IFS notation. As an example, to allow to access library QGPL, enter /QSYS.LIB/QGPL.LIB as an allowed domain.
  4. To allow access to all libraries, enter /QSYS.LIB as an allowed domain.
  5. By specifying the root directory / as an allowed domain, you allow to access all directories and all libraries in the system.
previous page next page
    Contact